Black Hat 2022: Sophisticated Cybercriminals, Increased Ransoms
Hackers are becoming increasingly sophisticated in how they conduct their criminal activities, what weapons they have learned to wield and the types of targets they go after. But in some ways they also have not changed.
During the Black Hat USA 2022 conference, author and veteran investigative cybersecurity journalist Kim Zetter gave her assessment of the threat landscape a decade on from the Stuxnet attack that caused substantial damage to Iran’s nuclear program. She is the author of Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon.
Among the changes Zetter noted was that ransoms were increasing from a few thousand to millions of dollars and that criminals are targeting critical infrastructure to get that cash.
Arguably the biggest recent target was the Colonial Pipeline ransomware attack in 2021, where the oil pipeline that powered much of the U.S. East Coast was taken offline by hackers.
Zetter described the Colonial attack as a “watershed moment” of “national security proportions” which, in hindsight, should not have come as a surprise. She said the Colonial attack serves as “a convenient example” to warn organizations to get their house in order as other critical infrastructures are “in the same position or worse.”
Colonial opted to go offline entirely so as not to spread the virus to other systems − a wrong move according to Zetter. “When frenzied consumers initiated a panic buy, the hack itself didn’t inflate prices, it didn’t cause a fuel shortage. But the people responding to it did.”
Colonial failed to have measures in place to prevent such an attack despite the Russian-attributed hack on the Ukrainian power grid in 2015 showing energy systems are vulnerable, she said.
Critical infrastructure is increasingly a target of cybercriminals. Zetter cited figures from Temple University that show critical infrastructure was targeted for attacks some 400 times in 2020 and a total of 1,246 attacks between November 13 and June 30, 2022.
Critical infrastructure sectors are those whose “assets, systems and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof,” according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
There are 16 sectors deemed critical infrastructure: chemical, communications, dams, commercial facilities, critical manufacturing, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, health care and public health, information technology, nuclear reactors and materials and waste, transportation systems and lastly, water and wastewater systems.
Hackers know this and are stepping up their attacks. “These weren’t just attacks on hospitals … these were also targeting oil and gas facilities,” Zetter said. “And the attackers weren’t just targeting IT systems. They were already going after the operational technology networks that are controlling the critical processes.”
Further to her point, Zetter said 75% of respondents in the U.S. oil and gas sector still do not have multi-factor authentication fully implemented, and over half of them blamed it on a lack of in-house cyber skills, citing a survey by Trellix, formed from the merger of FireEye and McAfee.
“We have a habit of reacting to threats after they occur rather than preparing for them − or ignoring voices of reason that warn of impending problems, only to scramble into action when they occur,” she added.
“That is when panic drivers are lining up at East Coast gas stations trying to fill up a trunk full of canisters with gasoline or when election officials turn rogue and undermine the public trust in voting.”
In the decade since Stuxnet, cybercriminals have enjoyed a trickle-down effect of techniques and tools from state-sponsored hackers that have emboldened them, the journalist said.
In that time, hackers have become more professional and have even begun offering “salaried employment to their workers and paid vacations,” she said.
But where they have not changed is their criminal mindset. “They still bicker. They still double-cross one another, and they still think law enforcement won’t catch them. And sometimes they are right about that.”
This article first appeared in IoT World Today’s sister publication AI Business.